Information
The SECADM (security administrator) role grants the authority to create, alter (where applicable), and drop roles, trusted contexts, audit policies, security label components, security policies, and security labels. It is also the authority required to grant and revoke roles, security labels and exemptions, and the SETSESSIONUSER privilege. SECADM authority has no inherent privilege to access data stored in tables. It is recommended that the SECADM role be granted to authorized users only.
If an account that possesses this authority is compromised or used in a malicious manner, the confidentiality, integrity, and availability of data in the DB2 instance will be at increased risk.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Revoke this permission from any unauthorized users.
1. Connect to the DB2 database.
db2 => connect to $DB2INSTANCE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window:
db2 => REVOKE SECADM ON DATABASE FROM USER <username>